Win32/Agent.NAY [Threat Name] go to Threat

Win32/Agent.NAY [Threat Variant Name]

Category virus
Detection created Jun 01, 2006
Detection database version 2222
Aliases Trojan.Win32.Scar.bcij (Kaspersky)
  Trojan.Horse (Symantec)
  Trojan:Win32/Sisproc (Microsoft)
Short description

Win32/Agent.NAY is a file infector.

Installation

When executed, the virus copies itself into the following location:

  • %windir%\­x.exe

In order to be executed on every system start, the virus sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "x.exe" = "%windir%\­x.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 1
Executable file infection

The virus searches fixed drives for executable files to infect.


The virus searches for files with the following file extensions:

  • *.exe

It avoids files which contain any of the following strings in their path:

  • %windir%

The virus infects the files by inserting its code at the beginning of the original program.


When an infected file is executed, the original file is also run.


When an infected file is executed, the original program is being dropped into a temporary file and run.


Its name is the following:

  • %originalfilename%.lj
Spreading on removable media

The virus copies itself to the following locations:

  • %drive%\­x.exe
  • %drive%\­%variable%.exe

The following file is dropped in the same folder:

  • %drive%\­autorun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.


%variable% represents a string written in the CN language.

Other information

The virus may create the following files:

  • %windir%\­%variable%.exe

%variable% represents a string written in the CN language.

Please enable Javascript to ensure correct displaying of this content and refresh this page.